[go: up one dir, main page]

CN115037480B - Device authentication and verification method, device, equipment and storage medium - Google Patents

Device authentication and verification method, device, equipment and storage medium Download PDF

Info

Publication number
CN115037480B
CN115037480B CN202210642088.1A CN202210642088A CN115037480B CN 115037480 B CN115037480 B CN 115037480B CN 202210642088 A CN202210642088 A CN 202210642088A CN 115037480 B CN115037480 B CN 115037480B
Authority
CN
China
Prior art keywords
activation
certificate
request
credential
generated
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210642088.1A
Other languages
Chinese (zh)
Other versions
CN115037480A (en
Inventor
黄阳琨
黄宙舒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Douyin Vision Beijing Co Ltd
Original Assignee
Douyin Vision Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Douyin Vision Beijing Co Ltd filed Critical Douyin Vision Beijing Co Ltd
Priority to CN202210642088.1A priority Critical patent/CN115037480B/en
Publication of CN115037480A publication Critical patent/CN115037480A/en
Priority to US18/836,689 priority patent/US20250168017A1/en
Priority to PCT/CN2023/093556 priority patent/WO2023236720A1/en
Application granted granted Critical
Publication of CN115037480B publication Critical patent/CN115037480B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

根据本公开的实施例,提供了设备认证和校验的方法、装置、设备和存储介质。设备认证的方法包括:在第一设备处,向第二设备发送设备激活请求,该设备激活请求包括第一设备的身份认证信息以及响应于从第二设备接收到激活证书,将激活证书存储在与第一设备相关联的可信任环境中。该方法还包括向第二设备发送证书签名请求,该证书签名请求在可信任环境中至少部分地基于激活证书而生成以及将从第二设备接收的设备证书存储在可信任环境中,该设备证书基于证书签名请求而生成。以此方式,在节约开销的基础上实现了更为可靠的身份认证与鉴权机制,从而可以杜绝对设备的伪造或仿冒带来的非法牟利的漏洞风险。

According to an embodiment of the present disclosure, a method, apparatus, device and storage medium for device authentication and verification are provided. The method for device authentication includes: at a first device, sending a device activation request to a second device, the device activation request including identity authentication information of the first device and, in response to receiving an activation certificate from the second device, storing the activation certificate in a trusted environment associated with the first device. The method also includes sending a certificate signing request to the second device, the certificate signing request being generated in a trusted environment at least in part based on the activation certificate and storing a device certificate received from the second device in a trusted environment, the device certificate being generated based on the certificate signing request. In this way, a more reliable identity authentication and authorization mechanism is implemented on the basis of saving overhead, thereby eliminating the risk of loopholes for illegal profiteering caused by counterfeiting or impersonation of devices.

Description

Method, device, equipment and storage medium for equipment authentication and verification
Technical Field
Example embodiments of the present disclosure relate generally to the field of computers and, more particularly, relate to methods, apparatuses, devices, and computer-readable storage media for device authentication and verification.
Background
Currently, with the development of communication technology, more and more users acquire different types of services from service providers through smart communication devices such as smart phones, tablets, wearable devices and the like. However, lawbreakers often make use of the characteristics of such devices that facilitate counterfeiting and impersonation to perform a large number of virtual copies to implement such lawless actions as identity cheating and lawless mueller. Therefore, effective means are needed to fundamentally eliminate the vulnerability risk of such illegal benefits.
Disclosure of Invention
In a first aspect of the present disclosure, a method of device authentication is provided. The method includes, at a first device, sending a device activation request to a second device, the device activation request including identity authentication information of the first device and storing an activation credential in a trusted environment associated with the first device in response to receiving the activation credential from the second device. The method also includes sending a certificate signing request to the second device, the certificate signing request being generated in the trusted environment based at least in part on the activation certificate and storing a device certificate received from the second device in the trusted environment, the device certificate being generated based on the certificate signing request.
In a second aspect of the present disclosure, a method of device verification is provided. The method includes looking up an activation credential in a trusted environment associated with the first device, the activation credential generated by a second device for authenticating the first device. In response to determining that the activation credential exists in the trusted environment, the activation credential is locally verified. The method also includes generating an activated verification identity for identity verification of the first device for the local service in response to the activation credential passing the local verification.
In a third aspect of the present disclosure, a method of device authentication is provided. The method includes verifying, at the second device, identity authentication information of the first device indicated in the device activation request in response to receiving the device activation request from the first device. And sending an activation certificate to the first device in response to successful verification of the identity authentication information. The method also includes, in response to receiving the certificate signing request from the first device, transmitting a device certificate to the first device, the device certificate generated based on the certificate signing request.
In a fourth aspect of the present disclosure, an apparatus for device authentication is provided. The apparatus includes an activation request transmitting module configured to transmit a device activation request to a second device, the device activation request including identity authentication information of the first device, an activation credential storage module configured to store an activation credential in a trusted environment associated with the first device in response to receiving the activation credential from the second device, a credential signature request transmitting module configured to transmit a credential signature request to the second device, the credential signature request being generated in the trusted environment based at least in part on the activation credential, and a device credential storage module configured to store a device credential received from the second device in the trusted environment, the device credential being generated based on the credential signature request.
In a fifth aspect of the present disclosure, an apparatus for device verification is provided. The apparatus includes an activation credential lookup module configured to lookup an activation credential in a trusted environment associated with a first device, the activation credential generated by a second device for authenticating the first device, a local verification module configured to locally verify the activation credential in response to determining that the activation credential is present in the trusted environment, and an activated verification identity generation module configured to generate an activated verification identity for identity verification of the first device for local services in response to the activation credential passing the local verification.
In a sixth aspect of the present disclosure, an apparatus for device authentication is provided. The apparatus includes an authentication information verification module configured to verify identity authentication information of a first device indicated in a device activation request in response to receiving the device activation request from the first device, an activation credential transmission module configured to transmit an activation credential to the first device in response to the verification of the identity authentication information being successful, and a device credential transmission module configured to transmit a device credential to the first device in response to receiving a credential signature request from the first device, the device credential generated based on the credential signature request.
In a seventh aspect of the present disclosure, an electronic device is provided. The apparatus includes at least one processing unit, and at least one memory coupled to the at least one processing unit and storing instructions for execution by the at least one processing unit. The instructions, when executed by at least one processing unit, cause an apparatus to perform the method of the first, second or third aspect.
In an eighth aspect of the present disclosure, a computer-readable storage medium is provided. A medium having stored thereon a computer program which when executed by a processor implements the method of the first, second or third aspect.
It should be understood that what is described in this summary is not intended to limit the critical or essential features of the embodiments of the disclosure nor to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of embodiments of the present disclosure will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. In the drawings, wherein like or similar reference numerals denote like or similar elements, in which:
FIG. 1 illustrates a schematic diagram of an example environment in which embodiments of the present disclosure may be implemented;
FIG. 2 illustrates a schematic diagram of an interaction process for device authentication, according to some embodiments of the present disclosure;
FIG. 3 illustrates a schematic diagram of an interaction process for device authentication, according to some embodiments of the present disclosure;
FIG. 4 illustrates a schematic diagram of an interaction process for device verification in accordance with some embodiments of the present disclosure;
Fig. 5 illustrates a flow chart of a process for device authentication according to some embodiments of the present disclosure;
FIG. 6 illustrates a flow chart of a process for device verification according to some embodiments of the present disclosure;
fig. 7 illustrates a flow chart of a process for device authentication according to some embodiments of the present disclosure;
FIG. 8 illustrates a flow chart of a process for device verification according to some embodiments of the present disclosure;
fig. 9 illustrates a block diagram of an apparatus for device authentication, according to some embodiments of the present disclosure;
FIG. 10 illustrates a block diagram of an apparatus for device verification in accordance with some embodiments of the present disclosure;
FIG. 11 illustrates a block diagram of an apparatus for device authentication, according to some embodiments of the present disclosure;
FIG. 12 illustrates a block diagram of an apparatus for device verification in accordance with some embodiments of the present disclosure, and
Fig. 13 illustrates a block diagram of an apparatus capable of implementing various embodiments of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure have been illustrated in the accompanying drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather, these embodiments are provided so that this disclosure will be more thorough and complete. It should be understood that the drawings and embodiments of the present disclosure are for illustration purposes only and are not intended to limit the scope of the present disclosure.
In describing embodiments of the present disclosure, the term "comprising" and its like should be taken to be open-ended, i.e., including, but not limited to. The term "based on" should be understood as "based at least in part on". The term "one embodiment" or "the embodiment" should be understood as "at least one embodiment". The term "some embodiments" should be understood as "at least some embodiments". Other explicit and implicit definitions are also possible below.
As described above, when a user obtains a corresponding service using a smart communication device such as a smart phone, a smart tablet, or a wearable device, the risk of counterfeiting and impersonation of the device is often faced. The lawless person performs identity cheating by forging and fraudulent use of equipment and further obtains lawless benefits.
At present, illegal actions such as cheating in brushing amount, embezzling or forging equipment information of a real user by manufacturing virtual equipment through a simulator and fraudulently taking unauthorized service resources from a server side by utilizing the forged equipment information are lack of effective means for identification, so that risks of damage to benefits exist for both the user and the server.
In embodiments of the present disclosure, the term "device authentication" may relate to an identity information registration and status activation procedure of a terminal device at a remote device. In embodiments of the present disclosure, the term "device verification" may relate to authentication of a terminal device, which is performed during a request for a local or remote service, according to identity information of the terminal device, which has been authenticated during a device authentication process.
According to various embodiments of the present disclosure, a scheme for device authentication and verification is presented. For example, during authentication of a terminal device, a service provider can provide an activation certificate for the terminal device to the device according to the authentication information of the terminal device. After storing the activation certificate in a trusted environment (TEE) of the terminal device, the terminal device sends a certificate signing request to a service provider. The service provider generates a device certificate by signing a public key generated by the terminal device in the certificate bookmark name request and transmits the device certificate to the terminal device. The terminal device stores the device certificate in the TEE to complete the authentication process of the terminal device.
When the terminal equipment requests the local or remote related service, if the terminal equipment searches the activation certificate for the terminal equipment in the trusted environment, the validity and validity of the activation certificate are verified. In one aspect, if the activation credential is successfully verified, an activated identification is generated for signature verification against locally accessible authorization services and resources. On the other hand, if the activation credential is successfully authenticated, the terminal device may send a remote service request to the service provider using the private key of the terminal device, and the service provider may authenticate the service request with the public key in the device credential to send a response to the service request.
According to implementations of the present disclosure, a more trusted device identity authentication and verification process may be provided by mutual validation of identity and authorization services between the device side and the server side with an activation certificate and a device certificate in combination with a digital signature in a trusted environment (TEE). In this way, forgery and impersonation for devices can be stopped and illegal acquisition of service resources on the device local or server side can be prevented.
Example Environment
Referring first to FIG. 1, a schematic diagram of an example environment 100 in which an example implementation according to the present disclosure may be implemented is schematically illustrated.
As shown in fig. 1, environment 100 may include a terminal device 110 (also referred to as a first device in this disclosure) and a remote device 120 (also referred to as a second device in this disclosure). In the example environment 100, a remote device 120 may communicate with a terminal device 110 to enable provisioning of services requested for the terminal device 110.
In some embodiments, the services requested by terminal device 110 may include, for example, services obtained directly from remote device 120, or services provided by remote device 120 to applications installed on terminal device 110.
In some embodiments, during the process of terminal device 110 establishing a connection with remote device 120 and requesting a desired service, remote device 120 may authenticate the identity of terminal device 110 to determine the service rights that terminal device 110 is able to request to provide terminal device 110 with services within the range allowed by the service rights.
In some embodiments, terminal device 110 may be any type of mobile terminal, fixed terminal, or portable terminal, including a mobile handset, desktop computer, laptop computer, notebook computer, netbook computer, tablet computer, media computer, multimedia tablet, personal Communication System (PCS) device, personal navigation device, personal Digital Assistant (PDA), audio/video player, digital camera/video camera, positioning device, television receiver, radio broadcast receiver, electronic book device, gaming device, or any combination of the preceding, including accessories and peripherals for these devices, or any combination thereof. In some embodiments, terminal device 110 is also capable of supporting any type of interface to the user (such as "wearable" circuitry, etc.). The remote device 120 may be, for example, various types of computing systems/servers capable of providing computing capabilities, including but not limited to, mainframes, edge computing nodes, computing devices in a cloud environment, and so forth.
It should be understood that the structure and function of environment 100 are described for illustrative purposes only and are not meant to suggest any limitation as to the scope of the disclosure.
Device authentication procedure
Fig. 2 illustrates a schematic diagram of a process 200 for device authentication according to some embodiments of the present disclosure. Process 200 may be implemented at terminal device 110 and remote device 120. For ease of discussion, the process 200 will be described with reference to the environment 100 of FIG. 1.
Referring now to fig. 2, a terminal device 110 sends (204) an authentication activation request for the terminal device 110 to a remote device 120. The authentication activation request may include identity authentication information of the terminal device 110.
In some embodiments, the identity authentication information may include a Device identification (Device ID) of the terminal Device 110. The device identifier is a unique identifier of the terminal device 110, and may be typically a chip identifier of the terminal device 110 or a production serial number of the terminal device 110. The device identification may be written into a trusted environment associated with the terminal device 110 at the time the terminal device 110 is produced to ensure authenticity and non-tamper-ability of each reading.
In some embodiments, the identity authentication information may further include password information such as an activation code of the terminal device 110 itself or an account number and password of the application or service requested by the terminal device 110. It should be appreciated that the identity authentication information may include other information corresponding to the current request activation scenario under different request activation scenarios for terminal device 110.
The remote device 120 verifies the identity authentication information received from the terminal device 110. In some implementations, the remote device 120 may determine a range of services authorized by the terminal device 110, such as services that the terminal device 110 may use, based on the authentication information. Alternatively or additionally, the remote device 120 may also determine the age at which the terminal device 110 may use these services. Remote device 120 may generate authorized content for terminal device 110 based on the content determined above,
In some embodiments, the remote device 120 may generate a pair of asymmetric key pairs (also referred to as a first asymmetric key pair in this disclosure). The first asymmetric key pair may be generated, for example, by a public key system (RSA). Alternatively or additionally, the asymmetric key pair may also be generated by other digital signature methods such as Digital Signature Algorithm (DSA), elliptic Curve Digital Signature Algorithm (ECDSA), etc.
The remote device 120 may hash the determined authorized content for the terminal device 110 to generate a digest value. By encrypting the authorized content and digest value with the first private key of the first asymmetric key pair, the remote device 120 may generate (206) an activation certificate (activate. Crt) for the terminal device 110. The first public key of the first asymmetric key pair may be included in the activation certificate in addition to the encrypted content trust. In addition, the activation certificate may also include a device identity of the terminal device 110. It should be appreciated that a present activation certificate is uniquely issued by the remote device 120 for a terminal device.
The remote device 120 sends 208 the generated activation certificate to the terminal device 110. After receiving the activation certificate, the terminal device 110 may perform signature verification on the activation certificate. For example, terminal device 110 may decrypt the signature of the activation certificate using the first public key in the activation certificate to obtain field information in the activation certificate, such as authorized content and a digest value associated with the authorized content. The terminal device 110 may also hash the authorized content to generate another digest value and compare the other digest value to the digest value decrypted from the activation certificate. If the two digest values are the same, this indicates that the activation certificate was successfully verified.
The successfully verified activation certificate may be stored (210) by the terminal device 110 into a trusted environment associated with the terminal device 110. In some embodiments, the trusted environment of terminal device 110 depends on the type of operating system running on terminal device 110. For example, the system running on the terminal device 110 is an android system, the trusted environment may be a trusted environment based on the android system. Alternatively or additionally, the trusted environment of the terminal device 110 may also depend on other hardware and/or software environments associated with the terminal device 110. By introducing a trusted environment, sensitive information such as certificates, keys and the like of a trusted load can be prevented from being revealed.
A pair of asymmetric key pairs (also referred to as a second asymmetric key pair in this disclosure) may also be generated at terminal device 110. The terminal device 110 may encrypt field information, e.g., authorized content, obtained from the activation certificate with the second private key of the second asymmetric key pair and generate (212) a certificate signing request based on the encrypted field information and the second public key of the second asymmetric key pair. The certificate signing Request may be, for example, a signing Request file (CERTIFICATE SIGNING Request, CSR).
The terminal device 110 sends (214) the certificate signing request to the remote device 120. The remote device 120 may generate (216) a device certificate based on the certificate signing request.
Optionally, the remote device 120 may encrypt the second public key and field information included in the certificate bookmark request with the third private key in the third asymmetric key pair to generate a device certificate (device. Crt). A third public key of a third asymmetric key pair may also be included in the device certificate.
The device certificate may also include a device identity of the terminal device 110. It should be appreciated that a device certificate is uniquely issued by the remote device 120 for a terminal device.
The remote device 120 sends (218) the device certificate to the terminal device 110. The terminal device 110 may acquire the second public key and the field information by decrypting the device certificate with the third public key. If the terminal device 110 determines that the second public key has not been tampered with, the device certificate is stored 220 into a trusted environment. In addition, terminal device 110 may also send an activation confirmation request for terminal device 110 to remote device 120. Once the remote device 120 receives the activation confirmation request, the current state of the terminal device 110 is set to active.
Alternatively, the terminal device 110 may perform a device restart after sending an activation confirmation request to the remote device 120.
In the example process 200 illustrated in fig. 2, the terminal device 110 may alternatively or additionally establish (202) a secure connection with the remote device 120. In some embodiments, the secure connection may be a mTLS connection. mTLS the connection is a link layer security protocol based connection that enables a bi-directional encrypted channel to be established between the terminal device 110 and the remote device 120 to secure communications between the terminal device 110 and the remote device 120. Once connected, mTLS communications between terminal device 110 and remote device 120 may take place under a link layer security protocol. For example, the authentication activation request and the certificate signing request sent by the terminal device 110 to the remote device and the activation certificate and the device certificate sent by the remote device 120 to the terminal device, which have been described above, may each be transmitted via the mTLS connection.
By adopting mTLS-based secure connection, a secure channel for trust transfer can be constructed at the initial stage of information interaction between the terminal device 110 and the remote device 120, thereby providing a preliminary security guarantee for the communication process between the terminal device 110 and the remote device 120.
In some implementations, the mTLS connection may be established by a preset certificate (pre. The preset certificate may be included in the factory settings of the terminal device 110. The preset certificate includes a private key (pre.key). The private key may be stored in terminal device 110. The preset certificate may also include a batch certificate of the terminal device 110 and a public key of the preset certificate. The preset certificate may be set to a long-term valid type of certificate.
In some embodiments, the same preset certificate may be configured for different terminal devices. For example, the different terminal devices may be different terminal devices produced in the same batch. In this way, the cost caused by respectively configuring different preset certificates for different terminal devices can be reduced.
It should be understood that the mTLS connection established between terminal device 110 and remote device 120 is but one implementation of the present disclosure. Alternatively or additionally, communication between terminal device 110 and remote device 120 may also be based on other security protocols.
In this way, the terminal device 110 and the remote device 120 each hold a digital certificate containing authentication content, thereby enabling complete identity authentication of the device by the server through mutual nesting of the activation certificate and the device certificate.
In the device authentication process described in connection with fig. 2, the terminal device 110 ensures the reliability of the device authentication process by acquiring the security certificate issued by the remote device 120 in a trusted environment. In some embodiments, interactions between terminal device 110 and remote device 120 may also include interactions between the various components involved in terminal device 110 and remote device 120.
Fig. 3 illustrates a schematic diagram of an interaction process for device authentication according to some embodiments of the present disclosure. In fig. 3, remote device 120 may include gateway 121, server 122, database 123, and certificate authority 124. The process 300 of device authentication is described in further detail below in conjunction with fig. 3. A detailed description of the same or similar steps in process 300 as process 200 is not repeated here.
Referring now to fig. 3, a secure connection may be established (302) between terminal device 110 and gateway 121. Terminal device 110 sends (304) an authentication activation request for the terminal device 110 to gateway 120. The authentication activation request may include identity authentication information of the terminal device 110. Gateway 121 forwards (306) the authentication activation request to server 122. The server 122 may query 308 from the database 123 for authentication information associated with the terminal device 110. If the database 123 determines that the received authentication information of the terminal device 110 and the authentication information queried in the database 123 match each other, a result of the query success is transmitted (310) to the server 122. The server 122 generates an activation credential issuance request and sends (312) the activation credential issuance request to the credential center 124. The issuing request may include, for example, a service range determined by the server 122 that the terminal device 110 is authorized, for example, a service that the terminal device 110 may use.
In some embodiments, certificate authority 124 may generate a digest value for a range of services (also referred to as authorized content in this disclosure) authorized by terminal device 110 through a hash calculation and encrypt the authorized content and the digest value with a first private key of a first asymmetric key pair to generate an activation certificate. The activation certificate is sent (314) from certificate authority 124 to terminal device 110 via server 123 and gateway 122. The activation certificate may include a first public key of a first asymmetric key pair.
After the activation credential is successfully authenticated by the terminal device 110 based on the first public key, the terminal device 110 stores (316) the activation credential into a trusted environment.
The terminal device 110 may encrypt field information, e.g., authorized content, obtained from the activation certificate with a second private key of a second asymmetric key pair generated thereby, and generate (318) a certificate signing request based on the encrypted field information and the second public key of the second asymmetric key pair.
Terminal device 110 sends 320 a certificate signing request to server 122 via gateway 121. The server 122 invokes (322) a certificate issuing interface of the certificate authority 124 based on the certificate signing request. At the certificate authority 124, the second public key and field information included in the certificate bookmark request may be encrypted with a third private key of a third asymmetric key pair to generate a device certificate. A third public key of a third asymmetric key pair may also be included in the device certificate.
Certificate authority 124 sends (324) the issued device certificate to server 122, and server 122 sends (326) the device certificate to terminal device 110 via gateway 121.
Terminal device 110 stores 328 the device certificate into a trusted environment and sends 330 an activation confirmation request to server 122 via gateway 121. Server 122, upon receiving the activation confirmation request, requests (332) from database 123 a change of the state of terminal device 110 in database 123 to activation success.
The interaction between the corresponding components in the terminal device 110 and the remote device 120 is further described by means of fig. 3. It should be appreciated that fig. 3 only illustrates exemplary components included in remote device 120. The components included in the remote device 120 shown in fig. 3 may be modified or replaced.
Device verification process
The security certificate obtained in the device authentication process described in connection with fig. 2 and 3 may be utilized to secure data of both the service provider and the service receiver at the same time when the terminal device 110 requests a local or remote service. Fig. 4 illustrates a flow chart of a process 400 of device verification according to some embodiments of the present disclosure. Process 400 may be implemented at terminal device 110 and remote device 120. For ease of discussion, the process 400 will be described with reference to the environment 100 of FIG. 1.
Referring now to fig. 4, after terminal device 110 is restarted or booted, terminal device 110 looks up (402) whether an activation credential is stored in its trusted environment. If it is determined that the activation certificate already exists, the terminal device 110 may determine whether the activation certificate is still valid based on the validity and/or aging of the activation certificate indicated in the activation certificate.
If it is determined that the activation credential does not exist, an activation status identification is generated to trigger a device authentication process such as that described in connection with fig. 2 and 3.
In some embodiments, if terminal device 110 determines that the activation credential is still valid, an activation status identification is generated (404). The activation state identification may be generated, for example, by a device certificate stored in a trusted environment associated with terminal device 110. For example, the digest value is generated based on field information (e.g., authorized content) in the device certificate by hash calculation, and then the digest value is encrypted by a private key in a second asymmetric key pair generated by the terminal device 110 to generate the activation state identification.
In some embodiments, if terminal device 110 determines that the activation certificate is invalid or tampered with, a shutdown of terminal device 110 is triggered and/or an alert is sent to remote device 120.
As already described hereinabove, the terminal device 110 may request a local service or a remote service. The local service may be considered a service that has been provided by the remote device 120 to the local of the terminal device 110, which may include an offline service that has been installed at the terminal device 110 or that has been authorized at the terminal device 110, such as an offline service provided by an application installed on the terminal device 110, an offline game, or an offline book, etc. Conversely, remote services may be considered online services that need to be provided by remote device 120.
Upon requesting the local service, terminal device 110 may perform a signature check on the generated activation status identification (406). During the verification process, the activation state identification is decrypted by the public key of the second asymmetric key pair generated by the terminal device 110 to obtain the digest value. The terminal device 110 may compare the decrypted digest value with the digest value obtained through the hash calculation, and if the two match each other, determine that the signature verification of the generated activation status identification is successful. Terminal device 110 may access or acquire the requested local service. If the two do not match, the provision of the requested service to the terminal device 110 is denied.
Signature verification of the generated activation status identification is also required when requesting remote services. If the activation status identification is successfully verified, the service request is generated by encrypting the requested remote service content with the private key of the second asymmetric key pair generated by the terminal device 110. Terminal device 110 sends 408 the service request to remote device 120. The remote device 120 decrypts (410) the service request with the public key of the second asymmetric key pair generated by the terminal device 110 to validate the service request. Similarly, the remote device 120 obtains the requested service content by decryption of the public key and the digest value obtained by the terminal device 110 by hashing the service content. The remote device 120 may hash the requested service content to a digest value and compare the digest value to the decrypted digest value. If the two match each other, it is determined that the service request was successfully authenticated. In this case, the remote device 120 may provide 412 the service content requested by it to the terminal device 110.
In this way, during the process of the device making a service request, the identity of the device is verified based on the security certificate obtained in the device authentication stage, so that counterfeiting and impersonation actions aiming at the device are effectively stopped, and further the benefits of the service provider and the service receiver are prevented from being illegally infringed.
Example procedure
Fig. 5 illustrates a flow chart of a process 500 for device authentication according to some embodiments of the present disclosure. The process 500 may be implemented at the first device 110.
At block 510, the first device sends a device activation request to the second device. The device activation request includes authentication information of the first device.
At block 520, the first device determines whether an activation credential is received. If the first device determines that an activation credential was received, then at block 530 the activation credential is stored in a trusted environment associated with the first device.
In some embodiments, the first device may verify the signature of the activation certificate based on a first public key of a first asymmetric key pair that is used by the second device to sign the activation certificate. If it is determined that the signature verification passes, the first device may store the activation certificate in a trusted environment.
In some embodiments, the first device may generate a second asymmetric key pair. The first device may sign the request for the certificate bookmark name with the second private key of the second asymmetric key pair and send the second public key of the second asymmetric key pair to the second device.
At block 540, the first device sends a certificate signing request to the second device. The certificate signing request is generated in a trusted environment based at least in part on the activation certificate.
At block 550, the first device stores the device certificate received from the second device in a trusted environment. The device certificate is generated based on the certificate signing request.
In some embodiments, a first device may establish a secure connection between the first device and the device for transmission of at least one of a device activation request, an activation credential, a credential signature request, and a device credential.
In some embodiments, the first device may send an activation acknowledgement to the second device.
Fig. 6 illustrates a flow chart of a process 600 for device verification according to some embodiments of the present disclosure. The process 600 may be implemented at the first device 110.
At block 610, the first device looks up an activation credential in a trusted environment associated with the first device, the activation credential generated by a second device for authenticating the first device.
At block 610, the first device determines whether an activation credential exists via the lookup result. If it is determined that an activation credential exists, the activation credential is locally verified at block 630. If it is determined that an activation credential is not present, at block 660, execution of the activation authentication process is triggered.
At block 640, the first device determines whether the activation credential is locally verified. If the activation credential is verified locally, the first device generates an activated verification identity at block 650. If the activation credential does not pass the local verification, at block 670 the first device is turned off and/or an alert is sent to the second device.
In some embodiments, locally verifying the activation credential includes at least one of verifying the validity of the activation credential and the validity period of the activation credential.
In some embodiments, the first device may generate a verification request if it is determined that the activation credential is verified locally. The verification request is signed with a second private key of a second asymmetric key pair that may be generated in a trusted environment, wherein the second public key has been sent by the first device to the second device during a previous device authentication process. The first device may also send a signed verification request to the second device for identity verification of the first device in the remote service.
Fig. 7 illustrates a flow chart of a process 700 for device authentication according to some embodiments of the present disclosure. Process 700 may be implemented at second device 120.
At block 710, the second device determines whether a device activation request is received from the first device. If it is determined that the device activation request was received, at block 720 the second device verifies the identity authentication information of the first device indicated in the device activation request.
At block 730, the second device determines whether the authentication information was verified successfully. If it is determined that the identity authentication information is verified successfully, the second device sends an activation credential to the first device at block 740. If the second device determines that a certificate signing request is received from the first device at block 750, the second device sends a device certificate to the first device, the device certificate being generated based on the certificate signing request at block 750.
In some embodiments, at least one of the device activation request, the activation certificate, the certificate signing request, and the device certificate is transmitted over a secure connection between the first device and the second device.
In some embodiments, the second device may also sign the activation certificate with the first private key of the first asymmetric key pair and send the first public key of the first asymmetric key pair to the first device.
In some embodiments, the second device may also obtain the second public key of the second asymmetric key pair from the certificate signing request. The second asymmetric key pair is generated in a trusted environment associated with the first device. The second device generates a device certificate by signing the second public key.
In some embodiments, the second device may also receive an activation acknowledgement for the first device from the first device.
Fig. 8 illustrates a flow chart of a process 800 for device verification according to some embodiments of the present disclosure. Process 800 may be implemented at second device 120.
If the second device receives a verification request from the first device at block 810, the second device signs the verification request with a second public key of a second asymmetric key pair at block 820. The second asymmetric key pair is generated in a trusted environment associated with the first device. At block 830, the second device sends a corresponding authentication response to the first device based on the result of the signature authentication.
Example apparatus and apparatus
Embodiments of the present disclosure also provide corresponding apparatus for implementing the above-described methods or processes. Fig. 9 shows a schematic block diagram of an apparatus 900 for device authentication according to some embodiments of the present disclosure.
As shown in fig. 9, apparatus 900 may include an activation request transmission module 910 configured to transmit a device activation request to a second device. The device activation request includes identity authentication information of the first device. The apparatus 900 may include an activation credential storage module 920 configured to store an activation credential in a trusted environment associated with the first device in response to receiving the activation credential from the second device. The apparatus 900 may further comprise a certificate signing request sending module 930 configured to send a certificate signing request to the second device, the certificate signing request being generated in the trusted environment based at least in part on the activation certificate and a device certificate storing module 940 configured to store the device certificate received from the second device in the trusted environment. The device certificate is generated based on the certificate signing request.
In some embodiments, the apparatus 900 may be further configured to establish a secure connection between the first device and the device for transmission of at least one of a device activation request, an activation credential, a credential signature request, and a device credential.
In some embodiments, the activation credential storage module 920 may be further configured to sign-verify the activation credential based on a first public key of a first asymmetric key pair that is used by the second device to sign the activation credential. If the signature verification is determined to pass, the activation certificate is stored in a trusted environment.
In some embodiments, apparatus 900 may be further configured to generate a second asymmetric key pair and sign the request for the certification bookmark name with a second private key of the second asymmetric key pair and send a second public key of the second asymmetric key pair to the second device.
In some embodiments, the apparatus 900 may be further configured to send an activation acknowledgement to the second device.
Fig. 10 illustrates a schematic block diagram of an apparatus 1000 for device verification according to some embodiments of the present disclosure.
As shown in fig. 10, the apparatus 1000 may include an activation credential lookup module 1010 configured to lookup an activation credential in a trusted environment associated with a first device. The apparatus 1000 may include a local verification module 1020 configured to locally verify the activation credential in response to determining that the activation credential exists in a trusted environment. The apparatus 1000 may further comprise an activated verification identity generation module 1030 configured to generate an activated verification identity for identity verification of the first device for the local service in response to the activation certificate passing the local verification.
In some embodiments, locally verifying the activation credential includes at least one of verifying the validity of the activation credential and the validity period of the activation credential.
In some embodiments, the apparatus 1000 may further include generating a verification request in response to the activation credential passing the local verification, signing the verification request with a second private key of a second asymmetric key pair, the second asymmetric key pair being generated in a trusted environment, wherein a second public key of the second asymmetric key pair has been sent by the first device to the second device during a previous device authentication process, and sending the signed verification request to the second device for identity verification of the first device in the remote service.
Fig. 11 illustrates a schematic block diagram of an apparatus 1100 for device authentication according to some embodiments of the present disclosure.
As shown in fig. 11, the apparatus 1100 may include an authentication information verification module 1110 configured to verify, in response to receiving a device activation request from a first device, identity authentication information of the first device indicated in the device activation request. The apparatus 1100 may include an activation credential transmission module 1120 configured to transmit an activation credential to the first device in response to verification of the identity authentication information being successful. The apparatus 1100 may further include a device certificate sending module 1130 configured to send the device certificate to the first device in response to receiving a certificate signing request from the first device. The device certificate is generated based on the certificate signing request.
In some embodiments, at least one of the activation request, the activation certificate, the certificate signing request, and the device certificate is transmitted over a secure connection between the first device and the second device.
In some embodiments, the apparatus 1100 may be further configured to sign the activation certificate with a first private key of the first asymmetric key pair and transmit a first public key of the first asymmetric key pair to the first device.
In some embodiments, the apparatus 1100 may be further configured to obtain a second public key of a second asymmetric key pair from the certificate signing request, the second asymmetric key pair being generated in a trusted environment associated with the first device, and to generate the device certificate by signing the second public key.
In some embodiments, the apparatus 1100 may be further configured to receive an activation acknowledgement for the first device from the first device.
Fig. 12 illustrates a schematic block diagram of an apparatus 1200 for device verification according to some embodiments of the disclosure.
As shown in fig. 12, the apparatus 1200 may include a signature verification module 1210 configured to, in response to receiving a verification request from a first device, verify the verification request with a second public key of a second asymmetric key pair, the second asymmetric key pair being generated in a trusted environment associated with the first device, and a verification response transmission module 1220 configured to transmit a corresponding verification response to the first device according to a result of the signature verification.
The elements included in apparatus 900, apparatus 1000, apparatus 1100, and/or apparatus 1200 may be implemented in various ways, including software, hardware, firmware, or any combination thereof. In some embodiments, one or more units may be implemented using software and/or firmware, such as machine executable instructions stored on a storage medium. In addition to or in lieu of machine-executable instructions, some or all of the elements of apparatus 900, apparatus 1000, apparatus 1100, and/or apparatus 1200 may be implemented at least in part by one or more hardware logic components. By way of example and not limitation, exemplary types of hardware logic components that can be used include Field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standards (ASSPs), systems On Chip (SOCs), complex Programmable Logic Devices (CPLDs), and the like.
Fig. 13 illustrates a block diagram of a computing device/server 1300 in which one or more embodiments of the disclosure may be implemented. It should be understood that the computing device/server 1300 illustrated in fig. 13 is merely exemplary and should not be taken as limiting the functionality and scope of the embodiments described herein.
As shown in fig. 13, computing device/server 1300 is a form of general purpose computing device. Components of computing device/server 1300 may include, but are not limited to, one or more processors or processing units 1310, memory 1320, storage 1330, one or more communication units 1340, one or more input devices 1360, and one or more output devices 1360. The processing unit 1310 may be an actual or virtual processor and is capable of performing various processes in accordance with programs stored in the memory 1320. In a multiprocessor system, multiple processing units execute computer-executable instructions in parallel to increase the parallel processing capabilities of computing device/server 1300.
Computing device/server 1300 typically includes a number of computer storage media. Such media can be any available media that is accessible by computing device/server 1300 and includes, but is not limited to, volatile and non-volatile media, removable and non-removable media. The memory 1320 may be volatile memory (e.g., registers, cache, random Access Memory (RAM)), non-volatile memory (e.g., read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory), or some combination thereof. The storage device 1330 may be a removable or non-removable media and may include machine-readable media such as flash drives, magnetic disks, or any other media that may be capable of storing information and/or data (e.g., training data for training) and may be accessed within the computing device/server 1300.
Computing device/server 1300 may further include additional removable/non-removable, volatile/nonvolatile storage media. Although not shown in fig. 13, a magnetic disk drive for reading from or writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk may be provided. In these cases, each drive may be connected to a bus (not shown) by one or more data medium interfaces. Memory 1320 may include a computer program product 1325 having one or more program modules configured to perform the various methods or acts of the various embodiments of the present disclosure.
Communication unit 1340 enables communication with other computing devices via a communication medium. Additionally, the functionality of the components of computing device/server 1300 may be implemented as a single computing cluster or as multiple computing machines capable of communicating over a communication connection. Accordingly, computing device/server 1300 may operate in a networked environment using logical connections to one or more other servers, a network Personal Computer (PC), or another network node.
The input device 1350 may be one or more input devices such as a mouse, keyboard, trackball, etc. The output device 1360 may be one or more output devices such as a display, speakers, printer, etc. The computing device/server 1300 can also communicate with one or more external devices (not shown), such as storage devices, display devices, etc., as desired, through the communication unit 1340, with one or more devices that enable a user to interact with the computing device/server 1300, or with any device (e.g., network card, modem, etc.) that enables the computing device/server 1300 to communicate with one or more other computing devices. Such communication may be performed via an input/output (I/O) interface (not shown).
According to an exemplary implementation of the present disclosure, a computer-readable storage medium is provided, on which one or more computer instructions are stored, wherein the one or more computer instructions are executed by a processor to implement the method described above.
Various aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
These computer readable program instructions may be provided to a processing unit of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processing unit of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable medium having the instructions stored therein includes an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various implementations of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The foregoing description of implementations of the present disclosure has been provided for illustrative purposes, is not exhaustive, and is not limited to the implementations disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the various implementations described. The terminology used herein was chosen in order to best explain the principles of each implementation, the practical application, or the improvement of technology in the marketplace, or to enable others of ordinary skill in the art to understand each implementation disclosed herein.

Claims (18)

1. A method of device authentication, comprising:
Transmitting, at a first device, a device activation request to a second device, the device activation request including identity authentication information of the first device;
In response to receiving an activation credential from the second device, storing the activation credential in a trusted environment associated with the first device, wherein the activation credential is generated by the second device encrypting authorization content and a digest value with a first private key of a first asymmetric key pair, the authorization content including a range of services for which the first device is authorized, the first asymmetric key pair being generated by the second device and the digest value being generated by the second device hashing the determined authorization content for the first device;
Sending a certificate signing request to the second device, the certificate signing request generated in the trusted environment based at least in part on the activation certificate, comprising generating a second asymmetric key pair in the trusted environment, encrypting field information obtained from the activation certificate with a second private key pair of the second asymmetric key pair, and generating a certificate signing request based on the encrypted field information and a second public key of the second asymmetric key pair, and
A device certificate received from the second device is stored in the trusted environment, the device certificate generated based on the certificate signing request.
2. The method of claim 1, further comprising:
A secure connection between the first device and the second device is established for transmission of at least one of the device activation request, the activation credential, the credential signature request, and the device credential.
3. The method of claim 1, wherein storing the activation credential in a trusted environment associated with the first device comprises:
verifying the activation certificate by signing based on a first public key of a first asymmetric key pair, the first private key of the first asymmetric key pair being used by the second device to sign the activation certificate, and
In response to the signature verification passing, the activation credential is stored in the trusted environment.
4. The method of claim 1, further comprising:
Generating a second asymmetric key pair in the trusted environment;
Signing the certificate signing request with the second private key of the second asymmetric key pair, and
And sending a second public key of the second asymmetric key pair to the second device.
5. The method of claim 1, further comprising:
and sending an activation confirmation to the second device.
6. A method of device verification, comprising:
Searching for an activation credential in a trusted environment associated with a first device, the activation credential generated by a second device for authenticating the first device, wherein generating the activation credential includes the second device encrypting authorization content and a digest value with a first private key of a first asymmetric key pair to generate the activation credential, the authorization content including a range of services for which the first device is authorized, the first asymmetric key pair generated by the second device, and the digest value generated by the second device hashing the determined authorization content for the first device;
in response to determining that the activation credential exists in the trusted environment, locally verifying the activation credential, and
Generating, in response to the activation credential passing local verification, an activated verification identity for identity verification of the first device for local service by a device credential stored in a trusted environment associated with the first device, wherein the device credential is generated by the second device based on a credential signature request sent by the first device, the credential signature request is generated by the first device based on the activation credential;
Generating a verification request in response to the activation credential passing local verification;
signing the verification request with a second private key of a second asymmetric key pair, the second asymmetric key pair being generated in the trusted environment, wherein a second public key of the second asymmetric key pair has been sent by the first device to the second device during a previous device authentication process, and
The signed verification request is sent to the second device for identity verification of the first device in a remote service.
7. The method of claim 6, wherein locally verifying the activation credential comprises verifying at least one of:
legitimacy of the activation certificate, and
The validity period of the activation certificate.
8. A method of device authentication, comprising:
In response to receiving a device activation request from a first device, verifying, at a second device, identity authentication information of the first device indicated in the device activation request;
Transmitting an activation certificate to the first device in response to the verification of the identity authentication information being successful, wherein the activation certificate is generated by the second device encrypting authorized content and a digest value using a first private key of a first asymmetric key pair, the authorized content including a range of services for which the first device is authorized, the first asymmetric key pair being generated by the second device and the digest value being generated by the second device hashing the determined authorized content for the first device, and
The method includes generating, in response to receiving a certificate signing request from a first device, wherein the certificate signing request is generated by the first device based on the activation certificate, sending, to the first device, a device certificate, the device certificate generated based on the certificate signing request, including encrypting second public key and field information included in the certificate signing request with a third private key of a third asymmetric key pair to generate the device certificate.
9. The method of claim 8, wherein at least one of the activation request, the activation credential, the credential signature request, and the device credential is transmitted over a secure connection between the first device and the second device.
10. The method of claim 8, further comprising:
signing the activation certificate with a first private key of a first asymmetric key pair, and
A first public key of the first asymmetric key pair is sent to the first device.
11. The method of claim 8, further comprising generating the device certificate in the following manner:
Obtaining a second public key of a second asymmetric key pair from the certificate signing request, the second asymmetric key pair being generated in a trusted environment associated with the first device, and
The device certificate is generated by signing the second public key.
12. The method of claim 8, further comprising:
an activation confirmation for the first device is received from the first device.
13. The method of claim 8, further comprising verifying the first device in the following manner:
in response to receiving a verification request from a first device, signing the verification request with a second public key of a second asymmetric key pair, the second asymmetric key pair being generated in a trusted environment associated with the first device, and
And sending a corresponding verification response to the first device according to the signature verification result.
14. An apparatus for device authentication, comprising:
an activation request sending module configured to send a device activation request to a second device, the device activation request including identity authentication information of a first device;
An activation credential storage module configured to store an activation credential in a trusted environment associated with the first device in response to receiving the activation credential from the second device, wherein the activation credential is generated by the second device encrypting authorization content and a digest value with a first private key of a first asymmetric key pair, the authorization content including a range of services for which the first device is authorized, the first asymmetric key pair being generated by the second device, and the digest value being generated by the second device hashing the determined authorization content for the first device;
A certificate signing request transmission module configured to transmit a certificate signing request to the second device, the certificate signing request generated in the trusted environment based at least in part on the activation certificate, comprising generating a second asymmetric key pair in the trusted environment, encrypting field information obtained from the activation certificate with a second private key of the second asymmetric key pair, and generating a certificate signing request based on the encrypted field information and a second public key of the second asymmetric key pair, and
A device certificate storage module configured to store a device certificate received from the second device in the trusted environment, the device certificate generated based on the certificate signing request.
15. An apparatus for device verification, comprising:
An activation credential lookup module configured to lookup an activation credential in a trusted environment associated with a first device, the activation credential generated by a second device for authenticating the first device, wherein generating the activation credential comprises the second device encrypting authorization content and a digest value with a first private key of a first asymmetric key pair to generate the activation credential, the authorization content comprising a range of services for which the first device is authorized, the first asymmetric key pair generated by the second device, and the digest value generated by the second device hashing the determined authorization content for the first device;
a local verification module configured to verify the activation credential locally in response to determining that the activation credential is present in the trusted environment;
An activated verification identity generation module configured to generate an activated verification identity for identity verification of the first device for local services by a device certificate stored in a trusted environment associated with the first device in response to the activation certificate passing local verification, wherein the device certificate is generated by the second device based on a certificate signature request sent by the first device, the certificate signature request being generated by the first device based on the activation certificate;
a verification request generation module configured to generate a verification request in response to the activation credential passing a local verification;
A verification request signing module configured to sign the verification request with a second private key of a second asymmetric key pair, the second asymmetric key pair being generated in the trusted environment, wherein a second public key of the second asymmetric key pair has been sent by the first device to the second device during a previous device authentication process, and
And a verification request sending module configured to send the signed verification request to the second device for identity verification of the first device in a remote service.
16. An apparatus for device authentication, comprising:
an authentication information verification module configured to verify, in response to receiving a device activation request from a first device, identity authentication information of the first device indicated in the device activation request;
An activation credential transmission module configured to transmit an activation credential to the first device in response to the verification of the identity authentication information being successful, wherein the activation credential is generated by a second device encrypting an authorization content and a digest value with a first private key of a first asymmetric key pair, the authorization content including a range of services for which the first device is authorized, the first asymmetric key pair being generated by the second device and the digest value being generated by the second device hashing the determined authorization content for the first device, and
The device includes a device certificate sending module configured to send a device certificate to a first device in response to receiving a certificate signing request from the first device, wherein the certificate signing request is generated by the first device based on the activation certificate, the device certificate being generated based on the certificate signing request, including encrypting a second public key and field information included in the certificate signing request with a third private key of a third asymmetric key pair to generate the device certificate.
17. An electronic device, comprising:
at least one processing unit, and
At least one memory coupled to the at least one processing unit and storing instructions for execution by the at least one processing unit, which when executed by the at least one processing unit, cause the electronic device to perform the method according to any one of claims 1 to 5, any one of claims 6 to 7, any one of claims 8 to 12, or claim 13.
18. A computer readable storage medium having stored thereon a computer program which when executed by a processor implements a method according to any of claims 1 to 5, according to any of claims 6 to 7, according to any of claims 8 to 12 or according to claim 13.
CN202210642088.1A 2022-06-07 2022-06-07 Device authentication and verification method, device, equipment and storage medium Active CN115037480B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN202210642088.1A CN115037480B (en) 2022-06-07 2022-06-07 Device authentication and verification method, device, equipment and storage medium
US18/836,689 US20250168017A1 (en) 2022-06-07 2023-05-11 Method, apparatus, device and storage medium for device authentication and checking
PCT/CN2023/093556 WO2023236720A1 (en) 2022-06-07 2023-05-11 Device certification method and apparatus, device verification method and apparatus, and device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210642088.1A CN115037480B (en) 2022-06-07 2022-06-07 Device authentication and verification method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115037480A CN115037480A (en) 2022-09-09
CN115037480B true CN115037480B (en) 2025-01-14

Family

ID=83123762

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210642088.1A Active CN115037480B (en) 2022-06-07 2022-06-07 Device authentication and verification method, device, equipment and storage medium

Country Status (3)

Country Link
US (1) US20250168017A1 (en)
CN (1) CN115037480B (en)
WO (1) WO2023236720A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115037480B (en) * 2022-06-07 2025-01-14 抖音视界(北京)有限公司 Device authentication and verification method, device, equipment and storage medium
CN116992490B (en) * 2023-05-31 2025-03-07 北京火山引擎科技有限公司 Method, device, equipment and storage medium for interaction management
US20250080363A1 (en) * 2023-08-28 2025-03-06 Lenovo (United States) Inc. Secure device referral to second environment system
CN117858088B (en) * 2023-12-29 2024-09-27 慧之安信息技术股份有限公司 Authentication method and system for ad hoc network-oriented Internet of things equipment
CN118018215B (en) * 2024-03-01 2024-10-25 奥特酷智能科技(南京)有限公司 OP-TEE-based vehicle-mounted certificate book management system and method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108769043A (en) * 2018-06-06 2018-11-06 中国联合网络通信集团有限公司 Trusted application Verification System and trusted application authentication method
CN112511316A (en) * 2020-12-08 2021-03-16 深圳依时货拉拉科技有限公司 Single sign-on access method and device, computer equipment and readable storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105978682A (en) * 2016-06-27 2016-09-28 武汉斗鱼网络科技有限公司 Mobile terminal token generation system and method thereof for judging identity of login user
CN108990060B (en) * 2017-06-05 2021-02-02 中国移动通信集团公司 A certificate distribution system and method for base station equipment
KR20210017083A (en) * 2019-08-06 2021-02-17 삼성전자주식회사 Electronic device and method for generating attestation certificate based on fused key
CN111625781B (en) * 2020-08-03 2020-11-10 腾讯科技(深圳)有限公司 SDK authorization authentication method, device, equipment and storage medium
CN115037480B (en) * 2022-06-07 2025-01-14 抖音视界(北京)有限公司 Device authentication and verification method, device, equipment and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108769043A (en) * 2018-06-06 2018-11-06 中国联合网络通信集团有限公司 Trusted application Verification System and trusted application authentication method
CN112511316A (en) * 2020-12-08 2021-03-16 深圳依时货拉拉科技有限公司 Single sign-on access method and device, computer equipment and readable storage medium

Also Published As

Publication number Publication date
WO2023236720A1 (en) 2023-12-14
US20250168017A1 (en) 2025-05-22
CN115037480A (en) 2022-09-09

Similar Documents

Publication Publication Date Title
US20240039714A1 (en) Secure Circuit For Encryption Key Generation
US11489678B2 (en) Platform attestation and registration for servers
CN115037480B (en) Device authentication and verification method, device, equipment and storage medium
CN111010410B (en) Mimicry defense system based on certificate identity authentication and certificate signing and issuing method
CN109075976B (en) Certificate issuance depending on key authentication
US9838205B2 (en) Network authentication method for secure electronic transactions
US8689290B2 (en) System and method for securing a credential via user and server verification
CN109639427B (en) Data sending method and equipment
US20210226793A1 (en) Providing high availability computing service by issuing a certificate
CN107086981B (en) Controlled Security Code Authentication
TW201732669A (en) Controlled secure code authentication
CN101241528A (en) Method and access system for terminal accessing trusted PDA
TW202137199A (en) Method of authenticating biological payment device, apparatus, electronic device, and computer-readable medium
WO2016173211A1 (en) Application identifier management method and device
WO2016054990A1 (en) Security check method, device, terminal and server
US7073062B2 (en) Method and apparatus to mutually authentication software modules
US20240223370A1 (en) Method for authentication of a service provider device to a user device
KR20200016506A (en) Method for Establishing Anonymous Digital Identity
WO2016165662A1 (en) Mobile phone quasi-digital certificate subsystem, and system and method thereof
CN115242471A (en) Information transmission method and device, electronic equipment and computer readable storage medium
CN113987461B (en) Identity authentication method and device and electronic equipment
TWI673621B (en) Information registration, authentication method and device
KR101813069B1 (en) Financial service proving method using keylock
CN119966606A (en) Password authentication method, device, equipment and medium
KR20250016345A (en) Concept for server-based sharing of digital keys

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant